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TITLE: Secure intranet access 



Brief Summary Paragraph Pight (3) : 

With the growth of such secure networks and their information content, there is an 
urgent need to support secure access by authorized users even when those users log 
in from a client machine outside the network security perimeter. A wide variety of 
tools and techniques relating to networks and/or security are known, at least 
individually and to at least some extent, including: computer network architectures 
including at least transport and session layers, sockets, clients, and servers; 
hyperlinks and uniform/universal resource locators (URLs) ; communications links such 
as Internet connections and LAN rnnnppt.ions; proxy Rprvprs for HTTP and some other 
protocols; internetworking; Kerberos authentication; authentication through 
certificates exchanged during an SSL handshake; tying certificates to access control 
lists so that users ar^ -i Hpnf i f -i f>d in certificates presented during the SSL 
handshake instead of b^ing -i ftenh-i f i ^ri by an IP address, DNS name, or username and 
password; multiple instances of a server on the same machine in order to serve both 
insecure and secure documents; using a single password to log into an entire network 
rather than logging into individual Rprvprs; proxy servers as an example of servers 
which require user authentication; a secure sockets layer protocol manifestation in 
URLs , including protocol identi f iers "http://" and "https://"; the use of a specific 
server port for network communication; various definitions of VPNs (virtual private 
networks) ; "route filtering" which controls route propagation; Point-to-Point 
Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) ; use of encryption 
technologies to provide the segmentation and virtualization required for VPN 
connectivity deployed in almost any layer of the protocol stack; transport or 
application layer VPNs; basic VPN requirements such as user authentication, address 
management, data encryption, key management, and multiprotocol support; tunneling by 
packet encapsulation, packet transmission, and packet unencapsulation; Lightweight 
Directory Access Protocol; a split proxy system for a protected computer network; 
translation between transport layer protocols; translation between IP and non-IP 
protocols; a proxy server within a network which receives a request for a protected 
Web resource from a browser outside the network and requires authentication of the 
browser to the proxy using some combination of a user ID and/or password; 
Novell /NetWare Directory Service (NDS) and user access controls; Windows NT Domain 
directory; Reverse Proxy /Virtual Hosting; a proxy Rprvpr with HTTP caching; use of a 
proxy fifi-rvfir by configuring client software to connect through the proxy server to 
prevent the client from being connected directly to the Internet; SSL encryption; an 
entry manager which serves as a single point of network entry for all users; a 
Trusted Sendmail Proxy, in the context of sensitivity labels and privileges, 
including a small, trusted program which acts as a communication path between an 
inside compartment that performs privileged internal operations and delivers local 
messages and an outside compartment that collects and send messages without 
privilege; a secured https proxy which apparently does SSL tunneling, logging, and 
reacting to events; software which apparently allows use of https URLs by way of an 
SSL connection with a program that wraps https calls to http; a protocol stream or 
content processor which knows how to convert something involving an URL into a 
proprietary content container which knows its content and that content's type, for 
HTTP, HTTPS, FTP, gopher, and other protocols; redirection of HTTP requests in 
connection with an HTTP proxy; superuser privileges; and object rights and property 
rights which apply to properties of an NDS object, as well as distribution of 
directory information across the network through replication. 
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Herz; Frederick S. M. Davis WV 26260 



APPL-NO: 8/ 985731 [PALM] 
DATE FILED: December 5, 1997 

PARENT -CASE: 

CROSS-REFERENCE TO RELATED APPLICATIONS This patent application was originally filed 
as Provisional Patent Application Ser. No. 60/032,461 on Dec. 9, 1996 and is a 
continuation-in-part of U.S. patent application Ser. No. 08/346,425, filed Nov. 29, 
1994, now U.S. Pat. No. 5,758,257 and titled "SYSTEM AND METHOD FOR SCHEDULING 
BROADCAST OF AND ACCESS TO VIDEO PROGRAMS AND OTHER DATA USING CUSTOMER PROFILES", 
which application is assigned to the same assignee as the present application. 
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TITLE: System for customized electronic identification of desirable objects 



Detailed Description Paragraph Right (61) : 

The service provider must have a means of protection from users who violate 
previously agreed upon terms of service. For example, if a user that uses a given 
pseudonym engages in activities that violate the terms of service, then the service 
provider should be able to take action against the user, such as denying the user 
service and blacklisting the user from transactions with other parties that the user 
might be tempted to defraud. This type of situation might occur when a user employs 
a service provider for illegal activities or defaults in payments to the service 
provider. The method of the paper titled "Security without i dentif ication: 
Transaction systems to make Big-Brother obsolete", published in the Communications 
of the ACM, 28(10), October 1985; pp . 1030-1044 , incorporated herein, provides for a 
mechanism to pnfnrrp protection against this type of behavior through the use of 
resolution credentials, which are credentials that are periodically provided to 
individuals contingent upon their behaving consistent with the agreed upon terms of 
service between the user and information provider and network vendor entities (such 
as regular payment for services rendered, civil conduct, etc.). For the user's 
safety, if the issuer of a resolution credential refuses to grant this resolution 
credential to the user, then the refusal may be appealed to an adjudicating third 
party. The integrity of the user profiles and target profile interest summaries 
stored on proxy servers is important: if a seller relies on such user- specif ic 
information to deliver promotional offers or other material to a particular class of 
users, but not to other users, then the user- specif ic information must be accurate 
and untampered with in any way. The user may likewise wish to ensure that other 
parties not tamper with the user's user profile and target profile interest summary, 
since such modification could degrade the system's ability to match the user with 
the most appropriate target objects. This is done by providing for the user to apply 
digital signatures to the control messages sent by the user to the proxy server. 
Each pseudonym is paired with a public cryptographic key and a private cryptographic 
key, where the private key is known only to the user who holds that pseudonym; when 
the user sends a control message to a proxy server under a given pseudonym, the 
proxy server uses the pseudonym's public key to verify that the message has been 
digitally signed by someone who knows the pseudonym's private key. This prevents 
other parties from masquerading as the user. 

Detailed Description Paragr aph Pight (86) : 

Although users' true identities are protected by the use of secure mix paths, 
pseudonymity does not guarantee complete privacy. In particular, advertisers can in 
principle employ user-specific data to barrage users with unwanted solicitations. 
The general solution to this problem is for proxy server S2 to act as a 
representative on behalf of each user in its user base, permitting access to the 
user and the user's private data only in accordance with criteria that have been set 
by the user. Proxy server S2 can restrict access in two ways: 
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DATE-ISSUED: August 3, 1999 



INVENTOR- INFORMATION : 
NAME 
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Yu; Philip Shi -Lung 



CITY 

Yorktown Heights 
Chappaqua 
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International Business Machines 
Corporation 



CITY STATE ZIP CODE COUNTRY TYPE CODE 
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APPL-NO: 8/ 708004 [PALM] 
DATE FILED: August 9, 1996 



PARENT -CASE: 

RELATED APPLICATIONS The present invention is related to co-pending U.S. patent 
application Ser. No. 08/525,891, entitled "A Fast Method for Mining Path Traversal 
Patterns", by Ming-Scan Chen and Philip S. Yu, filed Sep.- 8, 1995, IBM Docket No. 
Y0995-119, which is commonly assigned to the assignee of the present invention, and 
is hereby incorporated by reference in its entirety . 
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US -CL- CURRENT: 709/224 
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Computer Networks, Tanenbaum, Prentice-Hall, 1981, p. xiv, 36 and 86, 1981. 
Dictiornary of Computing, Oxford University Press, 1996. 
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DOCUMENT- IDENTIFIER: US 5931912 A 

TITLE: Traversal path-based approach to understanding user-oriented hypertext object 
usage 



npt-ailpH DpRrnpf-inn Pa-rag-raph Eight (1) : 

FIG. 1 is a block diagram of a stateliness hypertext server system 5 that provides 
services to a plurality of clients 3 through a data communication network 4. An 
example of such a system is a World Wide Web server using the Hypertext Transfer 
Protocol 11 (HTTP) to provide hypertext objects to various clients through the 
Internet. A client system 3 typically uses a software browser 2 to retrieve and 
display hypertext objects 1 through the communication network 4. Often, client 
systems 3 are hidden behind a proxy server 10, also called a firewall, between them 
and the data communication network 4. A proxy server is a firewall which can protect 
client identities from the network. A client can also be directly connected to the 
data communication network without a proxy server . In any case, the communications 
between the client and the server are typically stateliness, i.e., after the 
requested hypertext objects are sent to the client from the server, the connection 
is dropped. The server treats each hypertext request as a brand new request without 
prior context . 
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CROSS-REFERENCE TO RELATED APPLICATIONS This patent application is a 
continuation-in-part of U.S. patent application Ser. No. 08/346,425, filed Nov. 29, 
1994 and titled "SYSTEM AND METHOD FOR SCHEDULING BROADCAST OF AND ACCESS TO VIDEO 
PROGRAMS AND OTHER DATA USING CUSTOMER PROFILES", now U.S. Pat. No. 5,758,257, which 
application is assigned to the same assignee as the present application. 
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Detailed Description Paragraph Right (153) : 

Although users' true identi ties are> protected by the use of secure mix paths, 
pseudonymity does not guarantee complete privacy. In particular, advertisers can in 
principle employ user- specif ic data to barrage users with unwanted solicitations. 
The general solution to this problem is for proxy server S2 to act as a 
representative on behalf of each user in its user base, permitting access to the 
user and the user's private data only in accordance with criteria that have been set 
by the user. Proxy server S2 can restrict access in two ways: 



1 of 1 



3/16/02 3:04 PI 





□ Generate Collection J Print \ 



L6: Entry 5 of 6 



File: USPT 



May 19, 1998 



US -PAT -NO: 5754939 

DOCUMENT- IDENTIFIER: US 5754939 A 

TITLE: System for generation of user profiles for a system for customized electronic 
identification of desirable objects 

DATE- ISSUED: May 19, 1998 
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CROSS-REFERENCE TO RELATED APPLICATIONS This patent application is a 
continuation-in-part of U.S. patent application Ser. No. 08/346,425, filed Nov. 28, 
1994 and titled "SYSTEM AND METHOD FOR SCHEDULING BROADCAST OF AND ACCESS TO VIDEO 
PROGRAMS AND OTHER DATA USING CUSTOMER PROFILES", which application is assigned to 
the same assignee as the present application. 
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TITLE: System for generation of user profiles for a system for customized electronic 
identification of desirable objects 



Detailed Description Paragraph Right (79) : 

Although users' true identifies arp protected by the use of secure mix paths, 
pseudonymity does not guarantee complete privacy. In particular, advertisers can in 
principle employ user-specific data to barrage users with unwanted solicitations. 
The general solution to this problem is for proxy server S2 to act as a 
representative on behalf of each user in its user base, permitting access to the 
user and the user's private data only in accordance with criteria that have been set 
by the user. Proxy server S2 can restrict access in two ways: 
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DOCUMENT- IDENTIFIER: US 5754938 A 

TITLE: Pseudonymous server for system for customized electronic identification of 
desirable ob j ects 



Detailed Description Paragraph Right (81) : 

Although users' true identities arp prater ted by the use of secure mix paths, 
pseudonymity does not guarantee complete privacy. In particular, advertisers can in 
principle employ user-specific data to barrage users with unwanted solicitations. 
The general solution to this problem is for proxy server S2 to act as a 
representative on behalf of each user in its user base, permitting access to the 
user and the user's private data only in accordance with criteria that have been set 
by the user. Proxy server S2 can restrict access in two ways: 
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